Security managers, govt talk about cooperation

Corporate information security managers say they can see benefits in helping the US Department of Commerce improve computer security at private companies, but some also worry it could lead to unwanted regulations or public disclosure of a company's security problems or practices.

The Commerce Department last week met behind closed doors in New York with representatives from about 75 companies that deliver vital services such as transportation, banking, finance, telecommunications and energy, along with some IT vendors, as part of a first step in creating a "partnership" on information security.

Several security managers interviewed after the meeting were mostly supportive of cooperative approaches that would give them faster and more complete information about security threats, as well as increase research and development on information security and train more people in computer skills.

But there were reservations.

"It's kind of a dicey issue because there is a real lack of trust between industry and the government," said Rick Holmes, the director of security and quality assurance at Union Pacific in Omaha.

For instance, Holmes said, suppose government research leads to a new encryption algorithm with a key-recovery mechanism. The government may have access to that mechanism, but "do we know whether it does or not?"

Holmes also said there was "a veiled threat through this [meeting] about regulation" if companies don't move to voluntarily improve security.

The Clinton administration has made information security a priority in both the public and private sectors and is due to soon release a national plan for improving security. After the meeting, Commerce Secretary William Daley issued a statement that said in regard to the private sector, the federal government "cannot mandate a solution."

Holmes and others at the meeting said the partnership could play an important role.

"We have a need to act together to protect something that we all use but that none of us control on our own," said Bruce Bonsall, director of information security at Massachusetts Mutual Life Insurance.

Bonsall said he applauded the effort and sees a need for the government and private industry to develop a means to disseminate information about new threats to the Internet and share best practices for protecting systems. "For the most part, corporate America just sits back and we wait for alerts to come down," he said.

The government could correlate threat information from various key sectors and point out new problems, said Bell Sentecac, director of security at Wells Fargo & Co. "The government has a lot of ability coordinating disjointed facts," he said.

But Sentecac said there is also concern about sharing data with the government for fear that private corporate information could be exposed to the public under freedom of information laws.

Government officials know they face problems in winning corporate support.

"The reality is that companies are ambivalent about all this stuff," said Commerce Undersecretary William Reinsch, in an interview. "Because, on the one hand, they want very much to get caught up on the latest information. They want threat reports, they want to hear what is going on out there, and they are very concerned about their own vulnerabilities."

But at the same time, said Reinsch, companies are very concerned about the publicity. "They don't want to be engaged in activities that involve them in admitting that they're vulnerable, because it hurts confidence and exposes them. It's kind of a fine line," he said.

Reinsch said the government can help boost IT security by funding research and development projects on information security and passing on threat information and best practices.

This effort isn't being organised in response to any specific information security threat, he noted. The goal is try to develop a system that will help prevent any problem.

"The happiest result of all our efforts here is nothing is going to happen - no disaster," said Reinsch. "If we have a disaster, people will get cranked up, and then we will get lots of money out of Congress and lots of companies saying 'help us.' "

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.